Re: [Proftpd-user] proftpd hanging

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 454-5900

TJ Saunders <tj...@ca...> writes:

>> However, the error log is more or less a side problem. My main problem
>> is that there are no SSL/TLS connections possible any more with
>> mod_tls.
>> 
>> The new release 1.3.3a has been published today and the release notes
>> promise a fix of SSL_shutdown() errors. If your assumption is right,
>> my mod_tls related problems could be fixed as well. Immediately, I
>> build ProFTPD 1.3.3a against OpenSSL 0.9.8n. My test results are
>> a bit suprising:
>> 
>> - The SSL_shutdown() errors do still appear in the log files. The
>>   "TLSOptions EnableDiags" just gives some more information.
>
> Could you provide that additional EnableDiags information?  Since I'm not 
> able to reproduce the behavior locally, I'm totally dependent on people 
> experiencing the issue for data.
>
> The patch for Bug#3419 would still produce the same TLSLog entries; the   
> functional change is that for SSL_shutdown() return value, mod_tls no
> longer considers it a fatal error and closes the session.  Instead,
> mod_tls just logs the case, and moves on with its business.
>

The slightly more detailed SSL_shutdown() error log message is:

Jul 03 11:37:13 mod_tls/2.4.1[8428]: [msg] sent TLSv1 warning 'close_notify' Alert message (2 bytes)
Jul 03 11:37:13 mod_tls/2.4.1[8428]: [info] writing: SSL/TLS alert warning: close notify
Jul 03 11:37:14 mod_tls/2.4.1[8428]: panic: SSL_ERROR_SYSCALL, line 4574: Broken pipe
Jul 03 11:37:14 mod_tls/2.4.1[8428]: unexpected OpenSSL error, disconnecting
Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL sessions attempted: 4
Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL sessions established: 4
Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL sessions renegotiated: 0
Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL sessions resumed: 3
Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL sessions in cache: 1
Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL session cache hits: 0
Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL session cache misses: 0
Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL session cache timeouts: 0
Jul 03 11:37:14 mod_tls/2.4.1[8428]: [stat]: SSL session cache size exceeded: 0

Tls log entries are produced by the configuration statements
"TLSLog /var/log/proftpd/proftpd.tlslog" and "TLSOptions EnableDiags".

>> - mod_tls connections are possible again, ProFTPD is not hanging 
>>   anymore.
>
> That's certainly good news.
>  
>> I am happy to have back a working mod_tls enabled ProFTPD of
>> the latest release. Nevertheless, I would like to know, if I should
>> give an OpenSSL update a try. Latest sub 1.0.x version is 0.9.8o,
>> version 1.0.x still needs some time to become more stable.
>
> I just built OpenSSL-0.9.8o on my Ubuntu 9.04 laptop, and ran the mod_tls 
> regression tests I have against it, without issue.  Caveat emptor: the 
> regression tests rely on Perl's Net::FTPSSL, with which I can't reproduce 
> all of the various FTPS client behaviors.  But it's enough for me to say 
> "sure, give OpenSSL-0.9.8o a try in your environment to see what happens".
> The changes described between OpenSSL-0.9.8o and OpenSSL-0.9.8l, for 
> example, don't immediately strike me as likely to cause problems for 
> mod_tls.

Thanks for advice and experiences. I'll test OpenSSL 0.9.8o as soon as
I have some time left and I am going to share my experiences in this
thread.

>
>> By the way: ProFTPD 1.3.2e produces the same SSL_shutdown() log
>> errors as 1.3.3 and 1.3.3a do. My tests reveal the following mod_tls
>> versions:
>
> Using which FTPS client, exactly?  Not all FTPS clients use the same SSL 
> libraries, and the ways in which the clients disconnect/close data 
> connections vary quite widely...
>
> Cheers,
> TJ
>

Most of the time I use lftp 4.0.9. Surprisingly, FileZilla 3.3.3 does
not produce this SSL_shutdown() error log with ProFTPD 1.3.3a while
lftp still does.

Until now ProFTPD 1.3.3a now longer hangs on SSL/TLS connections
independant of the used FTP client.

Regards,
Peter

> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
>    Those have most power to hurt us, that we love.
>
>    	-Francis Beaumont
>
> ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>
> ------------------------------------------------------------------------------
> This SF.net email is sponsored by Sprint
> What will you do first with EVO, the first 4G phone?
> Visit sprint.com/first -- http://p.sf.net/sfu/sprint-com-first
> _______________________________________________
> ProFTPD Users List   <pro...@pr...>
> Unsubscribe problems?
> http://www.proftpd.org/list-unsub.html